- UID
- 43952
注册时间2007-12-31
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 怒
2015-11-21 19:12 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】AHpack 0.1 -> FEUERRADER 的简单分析
【破文作者】yangbing1990[FCT]
【作者邮箱】[email protected]
【破解工具】OD,LoadPE
【破解平台】WinXP
【软件名称】试验小程序
【保护方式】AHpack 0.1
【破解声明】照葫芦画瓢 - -!
------------------------------------------------------------------------
【破解过程】
- 004040FF > 60 pushad
- 00404100 68 54404000 push AHpack_0.00404054 ; ASCII
- "KERNEL32.DLL"
- 00404105 B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA>
- 0040410A FF10 call near dword ptr ds:[eax] ;
- //eax=GetModuleHandle("Kernel32.dll");
- 0040410C 68 B3404000 push AHpack_0.004040B3 ; //获得 Kernel32.dll
- 模块句柄
- 00404111 50 push eax
- 00404112 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
- 00404117 FF10 call near dword ptr ds:[eax] ;
- //eax=GetProcAddress(eax,"GlobalAlloc");
- 00404119 68 00080000 push 800 ; //获得 ClobalAlloc
- 函数地址
- 0040411E 6A 40 push 40
- 00404120 FFD0 call near eax ; //eax=GlobalAlloc
- (GMEM_ZEROINIT,0x800);
- 00404122 8905 CA404000 mov dword ptr ds:[4040CA], eax ; //申请 内存空间 保
- 存在 4040CA
- 00404128 89C7 mov edi, eax
- 0040412A BE 00104000 mov esi, AHpack_0.00401000
- 0040412F 60 pushad ; ----解压函数----
- 00404130 FC cld
- 00404131 B2 80 mov dl, 80
- 00404133 31DB xor ebx, ebx
- 00404135 A4 movs byte ptr es:[edi], byte ptr ds:[es>
- 00404136 B3 02 mov bl, 2
- 00404138 E8 6D000000 call AHpack_0.004041AA
- 0040413D ^ 73 F6 jnb short AHpack_0.00404135
- 0040413F 31C9 xor ecx, ecx
- 00404141 E8 64000000 call AHpack_0.004041AA
- 00404146 73 1C jnb short AHpack_0.00404164
- 00404148 31C0 xor eax, eax
- 0040414A E8 5B000000 call AHpack_0.004041AA
- 0040414F 73 23 jnb short AHpack_0.00404174
- 00404151 B3 02 mov bl, 2
- 00404153 41 inc ecx
- 00404154 B0 10 mov al, 10
- 00404156 E8 4F000000 call AHpack_0.004041AA
- 0040415B 10C0 adc al, al
- 0040415D ^ 73 F7 jnb short AHpack_0.00404156
- 0040415F 75 3F jnz short AHpack_0.004041A0
- 00404161 AA stos byte ptr es:[edi]
- 00404162 ^ EB D4 jmp short AHpack_0.00404138
- 00404164 E8 4D000000 call AHpack_0.004041B6
- 00404169 29D9 sub ecx, ebx
- 0040416B 75 10 jnz short AHpack_0.0040417D
- 0040416D E8 42000000 call AHpack_0.004041B4
- 00404172 EB 28 jmp short AHpack_0.0040419C
- 00404174 AC lods byte ptr ds:[esi]
- 00404175 D1E8 shr eax, 1
- 00404177 74 4D je short AHpack_0.004041C6
- 00404179 11C9 adc ecx, ecx
- 0040417B EB 1C jmp short AHpack_0.00404199
- 0040417D 91 xchg eax, ecx
- 0040417E 48 dec eax
- 0040417F C1E0 08 shl eax, 8
- 00404182 AC lods byte ptr ds:[esi]
- 00404183 E8 2C000000 call AHpack_0.004041B4
- 00404188 3D 007D0000 cmp eax, 7D00
- 0040418D 73 0A jnb short AHpack_0.00404199
- 0040418F 80FC 05 cmp ah, 5
- 00404192 73 06 jnb short AHpack_0.0040419A
- 00404194 83F8 7F cmp eax, 7F
- 00404197 77 02 ja short AHpack_0.0040419B
- 00404199 41 inc ecx
- 0040419A 41 inc ecx
- 0040419B 95 xchg eax, ebp
- 0040419C 89E8 mov eax, ebp
- 0040419E B3 01 mov bl, 1
- 004041A0 56 push esi
- 004041A1 89FE mov esi, edi
- 004041A3 29C6 sub esi, eax
- 004041A5 F3:A4 rep movs byte ptr es:[edi], byte ptr d>
- 004041A7 5E pop esi
- 004041A8 ^ EB 8E jmp short AHpack_0.00404138
- 004041AA 00D2 add dl, dl
- 004041AC 75 05 jnz short AHpack_0.004041B3
- 004041AE 8A16 mov dl, byte ptr ds:[esi]
- 004041B0 46 inc esi
- 004041B1 10D2 adc dl, dl
- 004041B3 C3 retn
- 004041B4 31C9 xor ecx, ecx
- 004041B6 41 inc ecx
- 004041B7 E8 EEFFFFFF call AHpack_0.004041AA
- 004041BC 11C9 adc ecx, ecx
- 004041BE E8 E7FFFFFF call AHpack_0.004041AA
- 004041C3 ^ 72 F2 jb short AHpack_0.004041B7
- 004041C5 C3 retn
- 004041C6 61 popad ; ---解压函数---
- 004041C7 B9 FC070000 mov ecx, 7FC ; //解压数据的 大小
- 004041CC 8B1C08 mov ebx, dword ptr ds:[eax+ecx]
- 004041CF 8999 00104000 mov dword ptr ds:[ecx+401000], ebx
- 004041D5 ^ E2 F5 loopd short AHpack_0.004041CC ; //将解压后的数据 由
- 后向前拷贝到 401000
- 004041D7 90 nop
- 004041D8 90 nop
- 004041D9 BA 00004000 mov edx, AHpack_0.00400000 ; //基址
- 004041DE BE 70200000 mov esi, 2070 ; //输入表地址 也是第
- 一个DLL的ORG保存的地址的RVA
- 004041E3 01D6 add esi, edx ; //获得VA
- 004041E5 8B46 0C mov eax, dword ptr ds:[esi+C] ; //获得DllName的RVA
- 004041E8 85C0 test eax, eax
- 004041EA 0F84 87000000 je AHpack_0.00404277 ; //判断DLLName是否为
- 空(为空说明所有DLL都遍历了)
- 004041F0 01D0 add eax, edx ; //获得DllName的VA
- 004041F2 89C3 mov ebx, eax
- 004041F4 50 push eax
- 004041F5 B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA> ;
- //eax=GetModuleHandle(DllName);
- 004041FA FF10 call near dword ptr ds:[eax] ; //获得DllName的 模
- 块句柄
- 004041FC 85C0 test eax, eax
- 004041FE 75 08 jnz short AHpack_0.00404208 ; //判断 句柄是否获得
- 成功
- 00404200 53 push ebx
- 00404201 B8 4C404000 mov eax, <&KERNEL32.LoadLibraryA> ; //失败就用
- LoadLibrary 再次获取
- 00404206 FF10 call near dword ptr ds:[eax]
- 00404208 8905 CE404000 mov dword ptr ds:[4040CE], eax ; //DllName的模块句柄
- 保存在 4040CE
- 0040420E C705 D2404000 0>mov dword ptr ds:[4040D2], 0 ; //4040D2(偏移值 大
- 小DWORD 即 =4*循环次数(从0开始)) 清零
- 00404218 BA 00004000 mov edx, AHpack_0.00400000 ; //基址
- 0040421D 8B06 mov eax, dword ptr ds:[esi] ; //获得ORG的RVA
- 0040421F 85C0 test eax, eax
- 00404221 75 03 jnz short AHpack_0.00404226 ; //判断ORG 是否为零
- 00404223 8B46 10 mov eax, dword ptr ds:[esi+10] ; //如果为零 则取
- FirstThunk
- 00404226 01D0 add eax, edx ; //获得 VA
- 00404228 0305 D2404000 add eax, dword ptr ds:[4040D2]
- 0040422E 8B18 mov ebx, dword ptr ds:[eax] ; //获得 函数名RVA
- 00404230 8B7E 10 mov edi, dword ptr ds:[esi+10] ; //获得FirstThunk
- 00404233 01D7 add edi, edx ; //获得 FirstThunk的
- VA
- 00404235 033D D2404000 add edi, dword ptr ds:[4040D2]
- 0040423B 85DB test ebx, ebx
- 0040423D 74 2B je short AHpack_0.0040426A ; //判断保存函数名的
- 地址的 RVA是否为空 如果为空说明这个DLL的函数都遍历完了
- 0040423F F7C3 00000080 test ebx, 80000000
- 00404245 75 04 jnz short AHpack_0.0040424B ; //判断是以序号方式
- 还是函数名方式
- 00404247 01D3 add ebx, edx ; //获得VA
- 00404249 43 inc ebx
- 0040424A 43 inc ebx ; //去了 开头序号
- 0040424B 81E3 FFFFFF0F and ebx, 0FFFFFFF
- 00404251 53 push ebx ; //函数名
- 00404252 FF35 CE404000 push dword ptr ds:[4040CE] ; //当前DLL的模块句柄
- 00404258 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
- 0040425D FF10 call near dword ptr ds:[eax] ; //获得函数 地址
- 0040425F 8907 mov dword ptr ds:[edi], eax ; //用函数地址 填充
- FirstThunk
- 00404261 8305 D2404000 0>add dword ptr ds:[4040D2], 4
- 00404268 ^ EB AE jmp short AHpack_0.00404218 ; //循环 取函数地址
- 填充 FirstThunk
- 0040426A 83C6 14 add esi, 14 ; //获得 下一个dll保
- 存ORG的地址的RVA
- 0040426D BA 00004000 mov edx, AHpack_0.00400000 ; //基址
- 00404272 ^ E9 6EFFFFFF jmp AHpack_0.004041E5 ; //循环 遍历DLL
- 00404277 68 54404000 push AHpack_0.00404054 ; ASCII
- "KERNEL32.DLL"
- 0040427C B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA>
- 00404281 FF10 call near dword ptr ds:[eax] ; //获得
- "Kernel32.dll"的模块句柄
- 00404283 68 BF404000 push AHpack_0.004040BF ; ASCII "GlobalFree"
- 00404288 50 push eax
- 00404289 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
- 0040428E FF10 call near dword ptr ds:[eax] ; //获得 GlobalFree
- 函数地址
- 00404290 8B15 CA404000 mov edx, dword ptr ds:[4040CA]
- 00404296 52 push edx
- 00404297 FFD0 call near eax ; //释放 申请空间
- 00404299 61 popad ; //还原 寄存器
- 0040429A BA 00104000 mov edx, AHpack_0.00401000 ; //OEP
- 0040429F FFE2 jmp near edx ; //
- 004042A1 90 nop
- 004042A2 C3 retn
最后膜拜YAYA兽 附上程序 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2010-5-2 11:36:48
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-5-2 15:52:11
楼主